Chemolli Francesco (USI) wrote:
> Isn't this exactly the pinning that would be needed all over the
> (NTLM) place? Can't we just use the tunneling primitives?
Sure, but then all logging is lost, and you still have the same security
issues with cache hierarchies.
Senario:
Two users behind a second-level proxy not knowing about NTLM
User a logs in to a origin server using NTLM, causing the top level
proxy's connection to the NTLM enabled server to be logged in.
User b requests an object on the same server, and persistent connection
management causes user b's request to be sent on the connection opened
and by user a, thereby inheriting the privilegies of user a.
So NTLM proxying ends up in a bad idea unless the whole environment is
controlled and you know there is no second level proxies not knowing
about NTLM.
-- HenrikReceived on Fri Apr 13 2001 - 03:25:36 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST